A potentially dangerous Request.Form value

0
votes

In my ASP.NET application, I'm getting the the following error message during a POST with certain input:

A potentially dangerous Request.Form value was detected from the client

I know that this occurs because a feature of .NET called Request Validation is preventing potentially dangerous characters that could be used in an XSS attack from being submitted. However, I use an HTML editor and need to be able to turn this feature off for that editor.

I can do this in my web.config file, but it is globally affective - which I am not happy about because it disables this security feature on all fields in my application, not just the HTML editor.

I tried setting the ValidateRequest property of the Page directive in the specific pages I wanted to turn this off in, but unfortunately it did not work.

Can anyone think of any reason why this didn't work?

Edit

Well I got it working. Thank to your guys' help I was able to find a property in the editor that allowed encoding of the text area's content before form submission, so .net was ok with that - then before database insertion and re-rendering of the content I am decoding the content and all is almost well in the universe.

Now that the editor itself works, and no longer throws this error... I have encountered another problem and I am confused why this would even be a problem. I have breadcrumbs at the top of the page, when you click one of the breadcrumbs (linkbuttons) the page bombs with the same error ("A potentially dangerous Request.Form value..."). I'm confused as to why this would happen. Linkbuttons simply submit the form and post the page back on itself - the submit button does the same thing. So why would the submit button function correctly and not the linkbuttons for the breadcrumbs?

I should mention the breadcrumbs are in a user control - although I don't believe that should make a difference.

Thoughts?

3
c#asp.netxss
Your question is a little confusing. What feature did you turn of in web.config, and how? What precisely is it doing to your input, and have you tried ways of working around it?Tim Yates
What do you mean it "did not work"? What happened?womp
What HTML editor do you use? If it's CKEditor, look at this: cksource.com/forums/viewtopic.php?f=5&t=288Greg
It is indeed CKEditor - good call Greg :) That post unfortunately doesn't help my case too much though as the proposed solutions call for editing the web.config or setting the editor to html encode the output which defeats the purpose of the editor. I tried telling the editor to HTMLEncode the contents on submission and then html decoding the results before db insertion/updating but that did not work, the content is still encoded.Mark
I've seen the save button built into CKEditor cause this error on the open source software NopCommerce, but they also have a Save button on the page that works. I'm not sure how it works though.Greg

3 Answers

2
votes

I set ValidateRequest to false and it worked for me... That's what microsoft recommends to: http://www.asp.net/learn/whitepapers/request-validation/. If you are using VS, maybe try cleaning and rebuilding?

I tend to do it in the @Page directive and not config file though, but you are the first I heard of it not working...

0
votes

You really don't want to turn this off if you can avoid it because it does help prevent XSS attacks. It would be much better to find the actual cause of the problem. Typically this error is thrown if the viewstate in the page does not match the control set in the code behind. The primary reasons for this might be:

  1. The application pool has a copy of the .dll in memory that does not match the html portion of the page.
  2. If you are running cassini, stop debugging, stop the cassini server process, clean the solution and rebuild.
  3. If you are experiencing this on a remote server, recycle the application pool, clear your page cache, and retry.
  4. It is possible that the temporary asp.net files are unable to be rewritten following a recycle or a rebuild.
  5. If you are on a remote server, stop the website, stop the application pool. Go to the appropriate Temporary ASP.Net files directory and delete the folder for your application.
  6. If you are in cassini server, stop debugging, stop the cassini server process, and close VS. Then go to the temporary ASP.Net files and delete them all. Reload VS, clean/build. Try again.
0
votes

Here is a jQuery trick to encode field value, in this case "textarea"

            $("textarea").each(function(i) {
                var $textbox = $(this);
                $textbox.val($('<div/>').text($textbox.val()).html());
            });